Wednesday, May 14, 2014

Article: How Secure Are India's Elections? (Huffington Post)

According to exit polls, Narendra Modi is likely to be declared the next Prime Minister of India. The only thing that might stand in his way is an electronic voting machine (EVM).

The problems with EVM security have been widely known since the large-scale irregularities in Florida during the 2000 elections.

Many countries have moved to get rid of them. In 2006 Dutch TV aired adocumentary showing how easy it was to hack the EVMs that were about to be used in their general election. The machines were subsequently withdrawn and the Netherlands went back to paper ballots.

And, after spending close to $75 million on its EVMs, Ireland found them to be so insecure they literally scrapped them.

In 2009, Steve Stigall, a CIA cybersecurity expert, told the U.S. Election Assistance Commission there were concerns over electronic vote-rigging in Venezuela, Macedonia and Ukraine. According to the McClatchy report on his testimony:

[Stigall] said that elections also could be manipulated when votes were cast, when ballots were moved or transmitted to central collection points, when official results were tabulated and when the totals were posted on the Internet.

Concerns about the Indian EVMs were raised during the 2009 election in part as a result of an astounding discovery on the Elections Commission of India (ECI) website. Dr. Anupam Saraph, at the time Chief Information Officer for the city of Pune, and Prof. M D Nalapat, Vice-Chair of the Manipal Advanced Research Group, discoveredfiles on the ECI website that seemed to show election results days before votes were actually cast and counted.

India's 2009 elections were held in 5 phases, running from April 16 to May 13. Counting was not supposed to begin until all the phases were complete. Before the voting started, Saraph and Nalapat decided to track the elections and create a wikifor constituencies and candidates, with data sourced from Excel files on the ECI website.

The ECI spreadsheets contained what you would expect: candidate's name, gender, address, party, etc. But, starting May 6, the spreadsheet changed and something unexpected was added.

From May 6 onwards, the candidate's name was 'coded', based on their position on the EVM, and the number of 'votes polled' were added, even though voting had yet to take place in many constituencies and, even where voting had taken place, votes were yet to be counted. Even more confounding, the 'votes polled' numbers were adjusted in subsequent spreadsheets before the results were announced.

The team immediately alerted the National Informatics Centre (NIC) and the ECI that it looked like their website was posting results before voting had been completed. The NIC responded within an hour confirming the observation and itself alerting the ECI. There was no response from the ECI.

On May 16, the election results were declared. On that day the spreadsheet on the ECI website contained candidate's name, gender, address, party, etc. just like on April 16, but with no votes cast data at all -- making pre and post election comparison with the peculiar 'votes polled' numbers impossible.

Subsequently, a team of IT specialists, including J. Alex Halderman from the University of Michigan, Electronic Frontier Foundation's Pioneer Award winner Hari K. Prasad, and Dutch Internet pioneer Rop Gonggrijp, used an actual Indian EVM to demonstrate two ways it could be hacked.

As Florida voters (and watchers of Scandal) know, often elections come down to just a few precincts in a few constituencies. Those wishing to swing an election need only manipulate a few well-chosen machines. Less than that if the goal is just to ensure specific people gain or maintain their seats.

Worried about the safety of their democracy, concerned citizens got involved. Former Minister for Law, Commerce and Justice, Dr. Subramanian Swamy, took up the mantle and went to the Supreme Court of India, winning a ruling that the Indian EVMs would at least have to prove a paper trail.

However, only 8 of 543 constituencies in this election have a Vote Verifier Paper Audit Trail (VVPAT) system. And there have already been reports of serious EVM malfunction, with two machines reportedly transferring all votes cast to Congress. This is apart from the separate issue of inaccurate voter lists, which saw at least hundreds of thousands of voters being disenfranchised, resulting in an apology from the Election Commission, but no revote.

Whatever happens with this election, there is going to have to be a serious rethink about how the ECI, and elections, are run in India. Those who have the upper hand this time, may not be so lucky next time. Do they really want to open that box? There can't even be the whiff of impropriety. In a country that believes in democracy, EVM rigging isn't stealing an election, it's stealing the soul of a nation.

wherever the vote becomes an electron and touches a computer, that's an opportunity for a malicious actor potentially to . . . make bad things happen.

India's democracy is a one of the wonders of the world. As in all democracies, the solemn act of vote casting is the one moment when everyone is equal, everyone is valued, everyone is part of the nation and everyone's voice gets heard.

If that voice is stifled or stolen, if that safety valve is closed, if that compact between the individual and the state is ruptured, then that delicate relationship is broken and the individual owes nothing to the state. And that, as the man says, can certainly make bad things happen.